SCADA HMI Devs Take 150 Days to Release Patches

It takes SCADA vendors on average 150 days to release security patches, leaving organizations exposed for around a month longer than for popular software like Windows, according to a new report from Trend Micro.

As its name suggests, the HMI allows an operator to control the associated SCADA system, which makes it a “primary target” which should only be installed on an air-gapped network or else isolated on a trusted network. However, the report claimed this often isn’t the case

Trend Micro analyzed all the now-patched bugs listed in 2015 and 2016 ICS-CERT advisories as well as 250 zero days purchased by its own ZDI program to see where the main weaknesses lie in HMI systems.

On the plus side, it found that most were easily preventable with better coding and fit in four main categories.

Trend Micro therefore urged developers of HMI systems to adopt the more secure development practices now widely used by mainstream OS and app developers.

Even basic fuzzing techniques, or auditing for banned APIs could help improve security here, it claimed.

Another area that needs addressing is the 146-day window that currently exists on average between vulnerability disclosure and a patch being made available by said HMI developer.

By comparison, the likes of Microsoft and Adobe take just 116 on average, while less popular business app providers like HPE and IBM do worse, taking 189 days, the report said.

Simon Edwards, European cybersecurity architect at Trend Micro, explained that patches are often delayed even when one is available because of their potential operational impact on affected systems.

“Overall this highlights the need for virtual patching – whether on the host or on the network – which can identify exploits targeting vulnerabilities in the system and stop them ever being able to execute,” he told Infosecurity Magazine.

“There’s also a need for organizations to review their security controls; WannaCry has been a wake-up call for the NHS, let us hope that something similar does not happen to other critical infrastructure.”

“We all need to work together to reduce the existence of vulnerabilities which in turn negates the need to patch them. Progress is being made on all fronts from original equipment manufacturers, computer emergency response teams, and SCADA operators who together have compressed the time to discover and remediate vulnerabilities so things are improving, but that must continue,” he added.

“Once available operators need to plan how and when to implement which, within ICS, can be problematic as system upgrade cycles can in themselves be lengthy.”